1. Field of the Invention
The present invention relates to the field of data communications networks. More particularly, this invention relates to a method and apparatus for limiting the number ISDN B-Channels that a group or individual is permitted to simultaneously use to communicate with one or more network access servers (NASes) at a point of presence (PoP) of a data communications network.
2. The Background
As well known to those of ordinary skill in the art, narrowband integrated services digital network (N-ISDN), or simply xe2x80x9cISDNxe2x80x9d herein, is a telecommunications service provided by telephone companies (Telcos) to users for transferring digital information at relatively high speeds as compared to analog telephone circuits. Users typically receive a connection capable of a single xe2x80x9cD-Channelxe2x80x9d for out-of-band digital control signaling and one or more Basic Rate Interface xe2x80x9cB-Channelsxe2x80x9d for 64-kbps data communications each. As it is possible to receive up to a maximum 23 or 30 B-channels depending upon one""s service, it is therefore possible to construct parallel communications links which have large bandwidth.
Internet Service Providers (ISPs) and Telcos which provide internet service over dial-up ISDN lines generally expect that they will be providing service to a user with one or possibly two Basic Rate Interface B-Channels at 64 kbps each. Users and ISDN modem vendors have, however, figured out that a user with access to more than one B-Channel can initiate a relatively large number of Point-to-Point protocol (PPP) sessions between the user""s computer and the ISP or Telco in order to create a multi-B-Channel digital link. These providers presently have no practical method for limiting users to a fixed number of B-Channels and/or charging a premium for such wide bandwidth links. In a typical retail model as shown in FIG. 1, an ISDN user will contact a network access server (NAS) using dial-up ISDN (integrated services digital network) telephone lines. The NAS interfaces the user with the data communications network. The way this works is that a user, for example, Joe@corpa.com, dials in to a NAS at ISP""s Point of Presence (PoP1) on the Internet. A PPP (point to point protocol) session 12 is raised between NAS1 14, and Joe""s terminal 16. A LCP (Link Control Protocol) session is raised between NAS1 and Joe""s terminal. At this time the NAS1 generates an AAA authentication request using a protocol such as RADIUS (Remote Authentication Dial-In User Service) to the ISP""s AAA (authentication, authorization and accounting) service 20. The AAA service 20 handles Joe""s authentication (receipt and verification of password and user name), provisions him with appropriate authorizations, and handles accounting for the time and services used by Joe on the data communications network. The AAA service uses a local database 22 to store and retrieve AAA information. To complete Joe""s log-in, an access-accept packet is sent to NAS1 from AAA service 20. Then an IPCP (Internet Protocol Control Protocol) session is raised between NAS1 and Joe""s terminal during which an IP address is returned to configure Joe""s terminal""s PPP stack. This completes the log-in of Joe. At present, there is little to restrict Joe from repeating this process a number of times to collect a number of B-Channel connections which can be paralleled to achieve a high bandwidth connection.
ISPs and Telcos (collectively sometimes referred to as xe2x80x9cwholesale providersxe2x80x9d or xe2x80x9cwholesalersxe2x80x9d) also offer wholesale Internet access to subsidiary and specialized service providers, CLECs (Competitive Local Exchange Carriers), corporations, and Community of Interest (COI) providers. Naturally, the processing afforded customers of the wholesale variety differs from the processing afforded customers of the retail variety. Subscriber information for individual wholesale users is usually stored by those who lease data communications network access from the Wholesaler. Hence, corporations, CLECs and COI providers do not normally share their user information with the wholesale providers. The Wholesaler, however, typically also has its own retail subscribers whose user information is stored in its databases. In some cases, a particular user might have accounts with both a wholesale provider and a retail provider. Hence, the Wholesaler must distinguish between the user""s wholesale and retail accounts and initiate different actions based upon their status or Service Level Agreements (SLAs).
Traditional wholesale ISPs and Roaming Service Providers offer network access through a technique called xe2x80x9cauthentication proxying.xe2x80x9d Proxying involves the transfer of the authentication responsibility to the xe2x80x9cownerxe2x80x9d of the subscriber. Thus, if a corporation was to outsource its corporate intranet to a Wholesaler, it would give up the maintenance of its dial-up servers (i.e., the NASes). It would not, however, normally want to give up the control of or information regarding its employees. Hence, when a corporate user connects to such a Wholesaler""s network access servers, the user essentially perceives that the user is dialing into a corporate facility when the user is actually dialing into the Wholesaler""s domain and then somehow gaining admittance to the corporation""s intranet.
What really happens in that scenario is that the Wholesaler determines that the user belongs to Corporation A (CorpA) by parsing either the fully qualified domain name (xe2x80x9cFQDNxe2x80x9d) (e.g., Joe@corpa.com) supplied by the user, reading the Dialed Number Identification Service (xe2x80x9cDNISxe2x80x9d) ID associated with the call, reading the call-line identification (xe2x80x9cCLIDxe2x80x9d) associated with the call, or by using some other known mechanism. Using a DNIS ID, the Wholesaler looks at the telephone number (or a specific NAS in access networks other than dial-up) through which the user is connecting to the network. So if a user calls in to 123-456-7890 from his number of 123-444-5555, then the Wholesaler can know which number was called, i.e., the completing station. Having determined that the user trying to gain access belongs to CorpA, the Wholesaler cannot authenticate the user by itself. As noted earlier, the user""s record is still located on CorpA""s equipment. Hence, the Wholesaler will xe2x80x9cproxyxe2x80x9d out the authentication transaction from its AAA proxy service to CorpA. An AAA service within the corporation domain then identifies the user, verifies the password, and provisions the user with appropriate authorizations. It may also receive accounting information, if desired. Then the AAA service at CorpA notifies the Wholesaler""s proxy service that the user is acceptable and passes along provisioning details associated with the user (such as an IP (Internet protocol) address to use or a pool identification of an IP address pool from which an IP address needs to be allocated and any other information that maybe needed). The Wholesaler then grants the user access to the network based upon the reply it gets back from CorpA. This technique is called xe2x80x9cproxying.xe2x80x9d This is shown diagrammatically in FIG. 2.
To be able to perform basic proxying, the Wholesaler maintains minimal information on its proxy service 24 at its PoP. Information such as supported domain names, the IP address to which the transaction is to be sent, the port number (typically an OSI Layer 4 port number) to which the transaction is to be addressed, a shared secret between the proxy service and the remote AAA service, etc., are typically stored on proxy service 24""s local configuration database 30.
For example, user Joe@corpa.com dials in to NAS1. A PPP (point to point protocol) session 26 is typically raised between Joe""s terminal and NAS1 as is a LCP (Link Control Protocol) session. At this time the NAS1 generates an authentication request using a protocol such as RADIUS (Remote Authentication Dial-In User Service) to proxy service 24. Proxy service 24 then consults its local configuration database 30. Proxy service 24 then makes a determination about where to send the access-request packet. Here it decides to send it to the AAA service 32 maintained in the CorpA domain 34. The CorpA AAA 32 then consults its local database 36 and authenticates Joe@corpa.com. CorpA AAA 32 then returns an access-accept packet to proxy service 24 which, in turn, sends an access-accept packet to NAS1. Then an IPCP (Internet Protocol Control Protocol) session is raised between NAS1 and Joe""s terminal during which an IP address is returned to configure Joe""s terminal""s PPP stack, thus completing the log-in of Joe@corpa.com.
Frequently a large corporation or similar entity will have a need to provide PoPs at a number of locations to service its clients, customers and/or employees in a number of different cities. For example, a corporation xe2x80x9cCorpAxe2x80x9d located in Los Angeles, Calif. might have some employees using dial-up lines from San Francisco, Calif. and New York City, N.Y. Particularly in this situation, as in the situation of individual conventional retail subscribers, it is desirable for an individual or a xe2x80x9cgroupxe2x80x9d of users such as a corporation, COI or the like to be able to arrange with the ISP to attain a certain level of B-Channel ISDN coverage at a particular PoP. Accordingly, the ISP or Telco would like to enter into an arrangement with the group whereby the group pays a fee for a more or less specific maximum number of B-Channels to be used at any one time. When the group exceeds this contracted number it is either cut off or charged an extra fee. In this regard, the term xe2x80x9cgroupxe2x80x9d is meant to include an individual user. In this way the ISP or Telco is able to plan for its expansion and receive realistic information on the number of these sessions that it must be able to support.
A data communications network with at least one PoP maintains a local cache database associated with each AAA service at the PoP on the data communications network. Each local database contains a group identification such as a domain identification corresponding to a group of users or an FQDN specifying a group of one individual, a maximum number of B-Channels to provide the group of users at the PoP and a dynamic B-Channel session count corresponding to active B-Channel connections currently provided to the group of users at the PoP. Actions are taken when the group attempts to exceed the maximum number of B-Channels by more than a predetermined number. The actions may include assessing extra charges, denying access, and sending warning messages to appropriate recipients. The local database may be synchronized by publishing B-Channel connection and disconnection events to all subscribing local databases. For proxy authentication users, the authentication information is published to the local caches of each AAA service at the PoP upon the first log-in of the user so as to avoid the need to proxy each successive connection authentication to a remote AAA service.